40 million credit card numbers are at risk

In the largest reported breach of personal data, hackers infiltrated the computers at a credit card processing center and stole as many as 40 million card numbers, MasterCard International disclosed yesterday.

MasterCard said card numbers and expiration dates were harvested by a rogue program planted inside the computer network at CardSystems Inc., one of the low-profile firms that process merchant requests for credit-card authorization. When a retailer swipes a customer's card, the information goes to companies like CardSystems for approval before getting passed along to banks.

At least 68,000 accounts have had fake charges posted to them, said MasterCard Vice President Linda Locke. Most credit card companies reverse fraudulent charges that are reported to them. Social Security numbers and other personal information were not taken.

The attack exposed the numbers of 13.9 million MasterCards and an unknown number of other brands of cards, including American Express. Atlanta-based CardSystems processes $15 billion in charges annually for MasterCard, Visa, American Express, Discover and other cards. Visa did not return a call seeking comment.

"I think all four [of the major card issuers] will be tainted," said Chris Hoofnagle, West Coast director of the Electronic Privacy Information Center. "This is the biggest security breach by far."

Hackers and identity thieves trade and sell pilfered credit card numbers in online chat rooms, making it relatively easy for a single big theft to affect thousands of cards quickly. MasterCard, which uncovered the incursion, would not divulge the dollar amount of the fraud uncovered so far or say when the improper charges began.

"Several banks reported atypical patterns of fraud" this week, Locke said. With the help of security firm CyberTrust Inc., "we traced disparate patterns of fraud back to CardSystems." After examining the computers there, she said, "we believe that a hacker intruded and installed some malicious code that captured card information."

The FBI is investigating.

MasterCard said CardSystems hadn't been using industry safeguards at its Tucson, Ariz., processing center, suggesting to analysts that the numbers had not been encrypted. CardSystems did not return telephone calls seeking comment.

"There's no excuse for this," said Avivah Litan, a Gartner Inc. expert on the security of financial data. "This takes the cake."

MasterCard's revelation is the latest in an unprecedented series of reported data breaches that began this year with word that identity thieves had accessed sensitive information on at least 145,000 people tracked by data broker ChoicePoint Inc.

Major security lapses have also been disclosed affecting LexisNexis, Bank of America Corp., Wachovia Corp. and Citigroup Inc.

Hearings in Congress

The reports, spurred by a California law requiring notification of consumers put at risk, have driven a spate of Congressional hearings and proposals for tighter regulation.

On Thursday, a Senate panel heard members of the Federal Trade Commission call for a national disclosure law and mandatory encryption, among other steps.

Several members of Congress said the latest incident underscored the need for new legislation, for example to extend the data-protection rules that are already applied to credit bureaus.

"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly," said Sen. Charles E. Schumer, a New York Democrat, who has sponsored a consumer data protection law.

MasterCard said it would support applying stricter rules to credit-card processors.

As typically happens when credit card information is stolen, MasterCard is leaving it up to the banks that issued the cards to warn the cardholders. It declined to name the banks.

Those banks usually don't pass the information along, since most pilfered numbers don't get used and since issuing new cards, as many customers would demand, can cost $35 or more.

If all 40 million cards were replaced, that might cost more than $1 billion.

"They could contain the damage," Litan said. "All they need to do is put a stop on those cards and issue new ones. But of course they won't do that, because it costs too much money."

Review statements

All credit card holders should review their monthly bills carefully, since they will be reimbursed only if they complain. And it's not hard to get a new card, which some consumer advocates recommend doing every few years as a matter of course.

Although cardholders won't be liable for fraudulent charges they report, they risk having their credit record damaged and spending many hours straightening things out.

Without mass replacement of the credit cards, the biggest financial losers could be retailers.

The credit card associations hold merchants responsible for most fake charges, even though they and their member banks often don't share their watch-lists of compromised cards.

Retailer resentment of those fraud policies and of the fees they pay credit-card processors is growing and could lead to class-action litigation, Litan said.

Financial data processors are obvious targets for hackers. In what may have been the largest previously known breach of credit card data, 8 million numbers were taken from a similar firm, Data Processors International, in 2003.